Manhattan U.S. Attorney and FBI Assistant Director in Charge Announce Charges in Connection with Blackshades Malicious Software That Enabled Users Around the World to Secretly and Remotely Control Victims’ Computers
Blackshades RAT Enabled Users to Activate Victims’ Web Cameras and Steal Files and Account Information; RAT was Purchased by Thousands of People in More than 100 Countries and Used to Infect More Than Half-a-Million Victim Computers

U.S. Attorney’s Office
May 19, 2014

Southern District of New York(212) 637-2600

FBI New York Press Office(212) 384-2100

Preet Bharara, the United States Attorney for the Southern District of New York, and George Venizelos, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (FBI), announced today the unsealing of an indictment charging Alex Yücel, the owner of an organization known as Blackshades, that, since 2010, has sold and distributed to thousands of people in more than 100 countries a sophisticated and pernicious form of malicious software, or malware, known as the Blackshades remote access tool, or RAT. The RAT was co-created by Yücel and has been used to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes. Also unsealed today were criminal complaints against Brendan Johnston, who was paid by Blackshades to help market and sell malware, including the RAT, and provide technical assistance to its users; Kyle Fedorek, who purchased the RAT and used it to steal online account information from hundreds of victims; and Marel Rappa, who purchased the RAT and used it to spy on dozens of victims and steal online account information. Yücel was arrested in Moldova in November 2013 and is pending extradition to the United States. Johnston was arrested yesterday in Thousand Oaks, California, and will be presented today in the Central District of California.

Fedorek and Rappa were arrested at their residences this morning and will be presented later today before United States Magistrate Judge James L. Cott in Manhattan federal court.

Michael Hogue, the co-creator of the RAT, was arrested in June 2012 as part of the government’s investigation known as Operation Cardshop and subsequently pled guilty before U.S. District Judge Kevin Castel in January 2013. A transcript of his guilty plea was unsealed this morning.

In addition to the criminal charges, a domain name associated with the Blackshades website was seized pursuant to a seizure warrant obtained in Manhattan federal court.

Manhattan U.S. Attorney Preet Bharara said, “Blackshades’ flagship product was a sophisticated program known as the remote access tool, or RAT for short. The RAT is inexpensive and simple to use, but its capabilities are sophisticated and its invasiveness breathtaking. As today’s case makes clear, we now live in a world where, for just $40, a cybercriminal halfway across the globe can—with just a click of a mouse—unleash a RAT that can spread a computer plague not only on someone’s property but also on their privacy and most personal spaces.”

Assistant Director in Charge of the FBI George Venizelos said, “Armed with $40 and a computer, an individual could easily get the Blackshades remote access tool and become a perpetrator. It required no sophisticated hacking experience or expensive equipment. This tool was purchased by thousands of people in more than 100 countries. The charges unsealed today showcase the top to bottom approach the FBI takes to its cases. We tackled this malware starting with those that put it in the hands of the users, the creators, and those who helped make it readily available, the administrators. We will continue to work with our law enforcement partners to bring to justice anyone who used Blackshades maliciously.”

According to the allegations contained in the indictment and criminal complaints unsealed today in Manhattan federal court:

Overview

Since at least 2010, an organization known as Blackshades has sold and distributed malicious software to thousands of cybercriminals throughout the world. Blackshades’ flagship product was the Blackshades remote access tool, or RAT, a sophisticated piece of malware that enabled cybercriminals to secretly and remotely gain control over a victim’s computer. After installing the RAT on a victim’s computer, a user of the RAT had free rein to, among other things, access and view documents, photographs and other files on the victim’s computer, record all the keystrokes entered on the victim’s keyboard, steal the passwords to the victim’s online accounts, and even activate the victim’s web camera to spy on the victim—all of which could be done without the victim’s knowledge. The FBI’s investigation has shown that the RAT was purchased by at least several thousand users in more than 100 countries and used to infect more than half a million computers worldwide.

Purchasing and Installing the Blackshades RAT

The RAT was typically advertised on forums for computer hackers and marketed as a product that conveniently combined the features of several different types of hacking tools. Copies of the Blackshades RAT were available for sale, typically for $40 each, on a website maintained by Blackshades.

After purchasing a copy of the RAT, a user had to install the RAT on a victim’s computer—i.e., “infect” a victim’s computer. The infection of a victim’s computer could be accomplished in several ways, including by tricking victims into clicking on malicious links or by hiring others to install the RAT on victims’ computers.

The RAT contained tools known as “spreaders” that helped users of the RAT maximize the number of infections. The spreader tools generally worked by using computers that had already been infected to help spread the RAT further to other computers. For instance, in order to lure additional victims to click on malicious links that would install the RAT on their computers, the RAT allowed cybercriminals to send those malicious links to others via the initial victim’s social media service, making it appear as if the message had come from the initial victim. For example, a RAT user could send an instant message, or IM, to potential victims that appeared to come from the initial victim, inviting them to click on a link that appeared to lead to a legitimate website but that in reality would install the RAT on the potential victim’s computer.

The Capabilities of the RAT

The RAT featured a graphical user interface, which allowed its users to easily view and navigate all of the victim computers that they had infected. Among other things, the user interface listed IP address information for each infected computer, the computer’s name, the computer’s operating system, the country in which the computer was located, and whether the computer had a web camera.

Once a computer was infected with the RAT, the user of the RAT had complete control over the computer. The user could, among other things, remotely activate the victim’s web camera. In this way, the user could spy on anyone within view of the victim’s webcam inside the victim’s home or in any other private spaces where the victim’s computer was used.

The RAT also contained a keylogger feature that allowed users to record each key that victims typed on their computer keyboards. To help users steal a victim’s passwords and other login credentials, the RAT also had a “form grabber” feature. The form grabber automatically captured login information that victims entered into forms on their infected computers (e.g., login screens or order purchase screens for online accounts).

The RAT also provided its users with complete access to all of the files contained on a victim’s computer. A RAT user could use such access to view or download photographs, documents, or other files on a victim’s computer. Further, using a tool known as file hijacker, the RAT enabled users to encrypt, or lock, a victim’s files and demand a “ransom” payment to unlock them. The RAT even came with a prepared script demanding such a ransom.

The RAT also allowed users to exploit victims’ computers to launch other cyber attacks. Infected computers could be gathered into a network and used to launch Distributed Denial of Service (DDoS) attacks against particular websites by repeatedly sending requests to the website in an effort to disable the website and deny service to legitimate customers.

Yücel and the Blackshades Organization

Yücel was the co-creator of the RAT and owned and operated the Blackshades organization. Yücel employed several paid administrators, including a director of marketing, website developer, customer service manager, and a team of customer service representatives; he hired and fired employees, paid employees’ salaries, and updated the malicious software in response to customers’ comments and requests. Blackshades generated sales of more than $350,000 between September 2010 and April 2014.

The Other Defendants

Johnston used Blackshades malware and was a paid employee of the Blackshades organization who, among other things, marketed and sold the RAT and provided technical assistance to users of the RAT to assist them in infecting and remotely controlling victims’ computers with the RAT. In certain online postings, Johnston described himself as an “authorized seller” and “admin,” or administrator, of Blackshades.

Fedorek was a customer of Blackshades who purchased the RAT and used it to steal financial and other account information from more than 400 victims. A search of Fedorek’s computer conducted by the FBI showed that Fedorek was also deploying a variety of other types of malicious software against his victims.

Rappa was a customer of Blackshades who purchased the RAT and used it to infect victims’ computers, spy on those victims using their web cameras, and steal personal files from their computers. A search of Rappa’s computer by the FBI showed that Rappa was also deploying a variety of other types of malicious software against his victims.

* * *

Yücel, 24, of Sweden, is charged with two counts of computer hacking, each of which carries a maximum sentence of 10 years in prison; one count of conspiring to commit access device fraud, which carries a maximum sentence of seven-and-a-half years in prison; one count of access device fraud, which carries a maximum sentence of 15 years in prison; and one count of aggravated identity theft, which carries a mandatory term of two years in prison consecutive to any other sentence that is imposed.

Johnston, 23, of Thousand Oaks, California, is charged with two counts of computer hacking, each of which carries a maximum sentence of 10 years in prison.

Fedorek, 26, of Stony Point, New York, is charged with two counts of computer hacking, each of which carries a maximum sentence of 10 years in prison, and one count of access device fraud, which carries a maximum sentence of 10 years in prison.

Rappa, 41, of Middletown Township, New Jersey, is charged with two counts of computer hacking, each of which carries a maximum sentence of 10 years in prison.

Hogue, 23, of Maricopa, Arizona, pled guilty in January 2013 to two counts of computer hacking, each of which carries a maximum sentence of 10 years in prison. He is awaiting sentencing before the Honorable P. Kevin Castel.

The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencings of the defendants will be determined by the judge.

The charges unsealed today are part of an unprecedented global law enforcement operation involving the participation of 19 countries. As part of the operation, more than 90 arrests have been made and more than 300 searches have been conducted worldwide. Mr. Bharara noted that the investigation is ongoing.

Mr. Bharara praised the extraordinary investigative work of the FBI. Additionally, Mr. Bharara specially thanked all the international law enforcement agencies that assisted this investigation, including the Moldova National Investigation Inspectorate of General Police Inspectorate of Ministry of Interior; the International Relations Department of Prosecutor’s General Office of the Republic of Moldova; Eurojust; the U.S. Department of State’s Diplomatic Security Service and United States Embassy personnel in Chisinau, Moldova; the FBI’s Office of the Legal Attaché to Romania and Moldova; and the FBI’s Office of the Legal Attaché to the Netherlands. He also thanked the Department of Justice’s Office of International Affairs and Computer Crime and Intellectual Property Section for their support.

The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys James Pastore and Sarah Lai are charge of the prosecution. Assistant U.S. Attorney Paul Monteleoni with the Money Laundering and Asset Forfeiture Unit is in charge of forfeiture aspects of the case.

The charges contained in the indictment and complaints are merely accusations, and the defendants are presumed innocent unless and until proven guilty.